States Issue Privacy Ultimatums to Education Technology Vendors

Last October Connecticut’s leading education groups and associations issued a joint ultimatum to vendors that use or collect student data: Comply with our new data-privacy requirements or take your business elsewhere.

The requirements came courtesy of a new state law that has led to a flurry of activity by vendors, school districts and the state’s department of education, who are all scrambling to ensure compliance before the July 2018 deadline. After that date, vendors who haven’t signed written privacy agreements can’t have their products used in any classroom in the state.

The Connecticut law outlines terms around the way identifiable student information can be used by vendors—anyone from yearbook publishers to niche apps to Google. Privacy advocates and parent groups applaud the new measure for protecting students from targeted advertising and requiring notification when data breaches occur. But some education leaders say the law is difficult to comply with and does not take into account the many different kinds of student data.

Unintended Consequences

At a recent SXSW EDU session, Amelia Vance, the director of the Education Privacy Project for the Future of Privacy Forum, was forthright about the challenges the law posed for districts.

I get an email a day from district tech directors asking about Google

Doug Casey

“What no one, including myself, who looked at the law foresaw was that the general counsel’s office at the state department of education interpreted that a written contract had to be in place between any vendor and any school system throughout the state,” Vance said at the event. “So you have a lot of school systems spending time, money and certainly lots of legal fees trying to get the various bussing companies, catering companies, and app developers together and convince them to sign off on a very strict law that goes beyond what the vast majority of states require.”

That districts are individually responsible for negotiating these contracts may seem like a fine detail, says Doug Casey, executive director of the Connecticut Commission on Education Technology, in an interview with EdSurge. “But, for example, we can’t just create a statewide agreement for certain products, because the law stipulates that these are agreements between a board of ed and a contractor.”

There is also an issue of timing, according to Casey. Passed in June 2017, the law gave districts a little more than a year to become compliant. That left the state’s 169 districts struggling to identify every vendor that touches student data, even if it’s only used in a single classroom with a single student, and get their written consent.

In response, the state’s department of education created an online platform, called the Connecticut Educational Software Hub, to help speed the process. For vendors, it’s a place to advertise products and signal intent to abide by the law’s provisions via a specially-constructed privacy pledge. For districts, the Hub lets administrators search products from vendors that comply with the law by grade level or subject area, and post reviews.

The Hub is hardly a panacea for districts, though, since signing the pledge doesn’t satisfy the requirement that districts and vendors have a written agreement in place regarding student privacy. So Casey’s organization has encouraged a quick fix—vendors and districts can copy and paste some boilerplate language as an addendum to existing contracts, or sign a short agreement to address the new law.

Still, it has been an uphill battle to get edtech behemoths like Google to even bother. “I get an email a day from district tech directors asking about Google,” Casey says, adding that while nothing is final, lawyers from both Connecticut and the search giant are currently ironing out the details. “I have been reaching out to engage the biggest edtech companies directly. Otherwise, I fear they won’t comply, and that would be a huge problem for our districts.”

A Heavy Lift

In many ways the frustration in Connecticut mirrors challenges across the country as states have wrestled with the tough issue of balancing student privacy and efforts to use technology in teaching. Since 2013, more than 120 new student-privacy laws have passed in 40 states, according to FERPA Sherpa, a resource site launched by the nonprofit Future of Privacy Forum and the Data Quality Campaign.

These laws have very serious consequences, and they do affect students every day as much or in some cases more than the privacy violations we are concerned about

“Parents are rightly concerned, as more and more technology and data is being used in schools, about how that data is being protected,” says Vance. The laws make positive contributions to privacy protections, she continues, but can have unintended side effects for districts and educators. “These laws have very serious consequences, and they do affect students every day as much or in some cases more than the privacy violations we are concerned about.”

In 2014, Louisiana passed what Vance considers the most strict student-privacy law in the country, which required parents to give opt-in consent any time students’ personally identifiable information was shared with anyone in any form—from printing the names of football players to posting artwork in school hallways to submitting student names to the state scholarship fund. It also came with stiff penalties for violations, including jail time and hefty fines for teachers and school officials.

The law has particularly impacted state officials. “We are no longer allowed to receive personally identifiable information,” says Kim Nesmith, the data governance and privacy director for the Louisiana Department of Education, speaking at the same SXSW EDU event. “As someone who has worked in data at the state level, this makes it really hard.”

Workarounds had to be found, substituting student names with personal ID numbers, for example, which created challenges for both schools and the state in correlating and verifying student identities on standardized tests.

I like to say parents entrust us with their children and their data. We have responsibilities in both arenas

Kim Nesmith

In its second year, the law was amended to allow districts to switch from opt-in to opt-out policies, but that meant each district could write policies that were completely different from their neighbors. “It made it so it’s very hard for me in my role to provide training for teachers and administrators because every policy is different,” Nesmith says. “I don’t know all the policies. It’s been quite unique. It’s been good, fun challenging work.”

In Colorado, state legislators passed the Student Data Transparency and Security Act in 2016, requiring each district to post to their websites the vendors they use and the types of personally identifiable information shared with them.

“We’ve been able to do it to the best of our abilities, but it’s a pretty heavy lift,” explains Patrick Mount, the director of information technology at St. Vrain Valley Schools, north of Boulder.

District and state officials have complained that the law places the new compliance requirements without allocating new funding. The department has created resources and sample privacy policies that districts and local education providers can download online.

Part of the reason why data privacy laws can seem so onerous to districts, state education officials and vendors is because they were written at the behest of parents interacting directly with state legislators, Vance says. Frequently, education experts do not help draft a bill’s language, and in some cases they’re not even consulted beforehand.

Such was the case in Georgia, whose legislature tried to pass a privacy law a few years ago, without consulting educators. “Teachers got on busses and went to the state capitol and told the legislature, ‘that won’t work,’” Vance says. In 2015, the state passed a middle-of-the-road law, which puts modest protections in place around security and transparency and is seen by Vance as a model for other states. “A lot of the most difficult legislation has occurred because there hasn’t been that input from everyone in the room.”

Despite the challenges, however, even the strictest laws are having the desired effect: Best practices around student information are being solidified, breach notification procedures are being put into place and both parents and teachers are more aware of the data being collected and shared with vendors.

“It was really hard to get people to notice data privacy and protection,” says Nesmith about the time before Louisiana’s law was passed. “I like to say parents entrust us with their children and their data. We have responsibilities in both arenas. I think that’s a positive. People do listen now.”